For a long time, web browsers have been attacked by hackers. Google tried to solve this problem with a sandbox, but progress was blocked due to performance issues. Therefore, the Chrome security team recently announced that it is considering using the memory-safe language Rust to rewrite or develop some modules of Chrome.
As we all know, memory security is an issue that needs to be taken seriously by the global software engineering community. Data shows that last year Chrome engineers analyzed 912 security vulnerabilities fixed in the Chrome stable branch since 2015. The severity of these vulnerabilities is rated as "high" or "serious", and 70% of these serious security vulnerabilities The above are all memory safety issues. In other words, pointer errors in C or C++ language can cause memory to be misunderstood.
The Chrome security team said that although the combination with black box testing technology is still Chrome’s main "line of defense", it seems to have reached its limit, and this strategy can no longer be used to resist crazy attacks.
The Chrome security team believes that the existence of memory security issues is both a challenge and an opportunity for the team, because many bugs have the same root cause, which means they can eliminate most bugs in one step.
In this regard, the Chrome security team has been exploring and solving it through the following three major ways:
- Make C++ safer by checking whether the pointer is correct at compile time.
- Make C++ safer by checking whether the pointer is correct at runtime.
- Investigate the use of memory-safe languages in some code bases.
"Compile-time check" means that security is guaranteed during the Chrome build process or before Chrome enters the user's device. And "runtime" refers to the Chrome security team checking when Chrome is running on the user's device, because the "runtime check" will cause performance loss (although checking the correctness of the pointer consumes little memory and CPU time, If millions of pointers add up, the impact will be exacerbated), and Chrome’s performance is very important to billions of users. Many users use low-power mobile devices that don’t have much memory, so the increase in these checks will lead to The network speed becomes slow.
So in an ideal situation, Chrome will choose option 1 of the above 3 ways-to make C++ more secure at compile time. Unfortunately, the language concept is not designed in this way. So Chrome also has options 2 and 3-make C++ more secure (but slower), or start using a different language (Chrome Security is experimenting with these two methods.)
At the same time, the Chrome security team also introduced its major investment in C++ security solutions-such as PTR and ABSL/STL hardened mode. In each case, Chrome wanted to eliminate a significant portion of the exploitable security vulnerabilities, but they also anticipated some performance loss.
At the same time, the Chrome security team will also explore whether memory-safe languages can be used for certain parts of Chrome in the future, which is (to a large extent) safer at compile time than the highly competitive Rust language. In other words, the Rust compiler finds pointer errors before the code reaches the user device, so there is no performance loss. However, there are still some unresolved questions about whether Chrome can make C++ and Rust work together. Even if Chrome starts writing new large-scale components in Rust tomorrow, Chrome will not be able to eliminate most of the most security vulnerabilities in a few years. So can the language boundaries be clean enough so that Rust can be used to write some existing components? The Chrome security team is temporarily unable to answer this question.
For the developer team, security and vulnerabilities are like "cat and mouse games". With the continuous "innovation" of attackers, the browser must also install a new defense system to stay ahead. Although Chrome has invested in a more powerful multi-process architecture on the basis of sandbox and site isolation, it is sometimes difficult to prevent.
At present, the Chrome security team has begun to conduct limited, non-user-oriented Rust experiments in the Chrome source code tree. Since it is still in the experimental stage, it has not been used in the production version of Chrome.
Reference link:
https://security.googleblog.com/2021/09/an-update-on-memory-safety-in-chrome.html
chrome
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。